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Abstract 

This text is about hooking API functions on OS Windows. All examples here completely works on Windows systems 
based on NT technology version NT 4.0 and higher (Windows NT 4.0, Windows 2000, Windows XP). Probably 
will also work on others Windows systems. You should be familiar with processes on Windows, assembler, PE files 
structure and some API functions to understand whole text. When using term "Hooking API" here, I mean the 
full change of API. So, when calling hooked API, our code is run immediately. I do not deal with cases of API 
monitoring only. I will write about complete hooking. 
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I. Introduction 

This text is about hooking API functions on OS Windows. All examples here completely works on Windows systems 
based on NT technology version NT 4.0 and higher (Windows NT 4.0, Windows 2000, Windows XP). Probably 
will also work on others Windows systems. You should be familiar with processes on Windows, assembler, PE 
files structure and some API functions to understand whole text. When using term "Hooking API" here, I mean 
the full change of API. So, when calling hooked API, our code is run immediately. I do not deal with cases of 
API monitoring only. I will write about complete hooking. 

II. Hooking methods 

Our goal is generally to replace the code of some function with our code. This problem can be sometimes solved 
before running the process. This can be done mostly with user level process which are run by us and the goal is 
e.g. to change the program behaviour. Example of this can be application crack. E.g. program which wants original 
CD-ROM during startup (this was in the game Atlantis) and we want to run it without CDs. If we change the 
function for getting a drive type we would be able to run this program from the hard drive. This can not be done 
or we do not want to do this when want to hook system process (e.g. services) or in the case we do not know 
which process will be the target. Then we will use hooking during running technic. Example of using this can be 
rootkit or virus with anti-antivirus technics. 

A. Hooking before running 

This is about physical module change (mostly .exe or .dll) when the function, which we want to change, is. We've 
got three possibilities at least here on how to do this. The first is to find entry point of that function and basically 
to rewrite its code. This is limited by the function size but we can load some other modules dynamically (API 
LoadLibrary), so it could be enought. Kernel functions (kernel32.dll) can be used in all cases because each process 
in windows has its own copy of this module. Other advantage is if we know on which OS will be changed module 
run. We can use direct pointers in this case for e.g. API LoadLibraryA. This is because the address of kernel 
module in memory is static in the scope of one OS Windows version. We can also use behaviour of dynamically 
loaded module. In this case its initialization part is run immediately after loading to the memory. We are not limited 
in initialization part of new module. Second possibility of replacing function in module is its extension. Then we 
have to choose between replacing first 5 bytes by relative jump or rewriting IAT In the case of relative jump, this 
will redirect the code execution to our code. When calling function which IAT record is changed, our code will be 
executed directly after this call. But extension of the module is not so easy because we have to care about DLL 
header. Next one is replacing the whole module. That means we create own version of the module which can load 
the original one and call original functions which we are not interested in. But important functions will be totally 
new. This method is not so good for big modules which can contain hundreds of exports. 

B. Hooking during running 

Hooking before running is mostly very special and intimately oriented for concrete application (or module). If we 
replace function in kernel32.dll or in ntdll.dll (only on NT OS) we will get perfect replace of this function in all 
processes which will be run later, but it is so difficult to make it because we have to take care about accuracy and 
code prefection of new functions or whole new modules, but the main problem is that only process which will be 
run later will be hooked (so for all process we have to reboot system). Next problem could be access to these files 
because NT OS tries to protect them. Much more pretty solution is to hook process during running. This method 
require more knowledge but the result is perfect. Hooking during running can be done only on process for which 
we have writing access to their memory. For the writing in itself we will use API function WriteProcessMemory. 
We will start from hooking our own process during running. 
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1) Own process hooking using IAT: There are many possibilities here. At first I will show you how to hook function 
by rewriting IAT. Following picture shows structure of PE file: 



+ + 

| MS DOS Header ("MZ") and stub | 
+ + 

PE signature ("PE") 
+ + 

.text 
Program Code 

+ + 

.data 
Initialized Data 

+ + 

. idata 
Import Table 

+ + 

.edata 
Export Table 

+ + 

Debug symbols 
+ + 



offset 0 



module code 



initialized (global static) data 



information for imported functions 
and data 



information for exported functions 
and data 



Important part for us here is Import Address Table (IAT) in the .idata part. This part contains description of imports 
and mainly imported functions addresses. Now it is important to know how are PE files created. When calling 
arbitrary API indirectly in programming language (that means we call it using its name, no using its OS specific 
address) the compiler does not link direct calls to the module but it links call to IAT on jmp instruction which 
will be filled by process loader while OS is loading process to the memory. This is why we can use the same 
binary on two different version os Windows where modules can be loaded to another addresses. Process loader 
will fill out direct jmp instructions in IAT which is used by our calls from the program code. So, if we are able to 
find out specific function in IAT which we want to hook, we can easily change jmp instruction there and redirect 
code to our address. Every call after doing this will execute our code. Advantage of this method is its perfection. 
Disadvantage is often amount of functions which should be hooked (e.g. if we want to change program behaviour 
in the file searching APIs we will have to change functions FindFirstFile and FindNextFile, but we have to know 
that these functions have its ANSI and WIDE version, so we have to change IAT address for FindFirstFileA, 
FindFirstFileW, FindNextFileA and also FileNextFileW. But there still some others like FindFirstFileExA and its 
WIDE version FindFirstFileExW which are called by previous mentioned functions. We know that FindFirstFileW 
calls FindFirstFileExW but this is done directly - not usinig IAT. And still some others to go. There are e.g. ShellAPI 
functions like SHGetDesktopFolder which also directly calls FindFirstFileW or FindFirstFileExW). But if we will 
get all of them, the result will be perfect. We can use ImageDirectoryEntryToData from imagehlp.dll to find out 
IAT easily. 
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PVOID ImageDirectoryEntryToData ( 

IN LPVOID Base, 

IN BOOLEAN MappedAs Image , 

IN USHORT DirectoryEntry, 

OUT PULONG Size 

) ; 

We will use Instance of our application as Base (Instance can be get by calling GetModuleHandle: 
hlnstance = GetModuleHandleA (NULL) ; 

), and as DirectoryEntry we will use constant IMAGE_DIRECTORY_ENTRY_IMPORT . 
#define IMAGE_DIRECTORY_ENTRY_IMPORT 1 

Result of this function is pointer to the first IAT record. IAT records are structures which are defined by I 
IMAGE_IMPORT_DESCRIPTOR. So, the result is a pointer on IMAGE_IMPORT_DESCRI PTOR. 

typedef struct _IMAGE_THUNK_DATA { 
union { 

PBYTE ForwarderString; 
PDWORD Function; 
DWORD Ordinal; 

PIMAGE_IMPORT_BY_NAME AddressOf Data ; 

} ; 

} IMAGE_THUNK_DATA , * P I MAGE_THUNK_DATA ; 

typedef struct _IMAGE_IMPORT_DESCRIPTOR { 
union { 

DWORD Characteristics; 

P I MAGE_THUNK_DATA OriginalFirs t Thunk ; 

} ; 

DWORD TimeDateStamp; 
DWORD ForwarderChain; 
DWORD Name; 

P I MAGE_THUNK_DATA FirstThunk; 

} IMAGE_IMPORT_DESCRIPTOR , *PIMAGE_IMPORT_DESCRIPTOR; 

The Name value in IMAGE_IMPORT_DESCRIPTOR is a relative reference to the name of module. If we want to 
hook a function e.g. from kernel32.dll we have to find out in imports which belongs to the descriptor with name 
kernel32.dll. We will call ImageDirectoryEntryToData at first and than we will try to find descriptor with name 
"kernel32.dll" (there can be more than one descriptor with this name). Finally we will have to find our function 
in the list of all functions in the record (address of our function can be get by GetProcAddress function). If we 
find it we must use VirtualProtect to change memory page protection and after then we can write to this part of 
memory. After rewriting the address we have to change the protection back. Before calling VirtualProtect we have 
to know some information about this memory page. This is done by VirtualQuery. We can add some tests in case 
some calls will fail (e.g. we will not continue if the first VirtualProtect call failed, etc) 
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PCSTR pszHookModName = "kernel32 . dll " , pszSleepName = "Sleep"; 
HMODULE hKernel = GetModuleHandle (pszHookModName) ; 
PROC pfnNew = (PROC) 0x12345678 , //new address will be here 

pf nHookAPIAddr = GetProcAddress (hKernel , pszSleepName) ; 

ULONG ulSize; 

PIMAGE_IMPORT_DESCRIPTOR plmportDesc = 
(PIMAGE_IMPORT_DESCRIPTOR) ImageDirectoryEntryToData ( 
hlnstance , 
TRUE, 

I MAGE_D I RE CTORY_ENTRY_I MPORT , 

&ulSize 

) ; 

while (plmportDesc- >Name) 
{ 

PSTR pszModName = (PSTR) ( (PBYTE) hlnstance + plmportDesc- >Name) ; 

if (stricmp (pszModName, pszHookModName) == 0) 

break; 

pImportDesc++ ; 
} 

P I MAGE_THUNK_DATA pThunk = 

(PIMAGE_THUNK_DATA) ( (PBYTE) hlnstance + plmportDesc - >FirstThunk) ; 

while (pThunk- >ul . Function) 
{ 

PROC* ppfn = (PROC*) kpThunk- >ul . Function; 
BOOL bFound = (*ppfn == pf nHookAPIAddr ) ; 

if (bFound) 
{ 

MEMORY_BAS I CONFORMATION mbi; 
VirtualQuery ( 
ppfn, 
&mbi , 

sizeof ( MEMORY_BAS I C_INFORMATI ON ) 
) ; 

VirtualProtect ( 
mbi . BaseAddress , 
mbi . Regions ize , 
PAGE_READWRITE , 
&mbi . Protect) 
) 

*ppfn = *pfnNew; 
DWORD dwOldProtect; 
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VirtualProtect ( 
mbi . BaseAddress , 
mbi . RegionSize , 
mbi . Protect , 
kdwOldProtect 
) ; 

break; 
} 

pThunk++ ; 
} 

Result of calling Sleep(lOOO) can be for example this: 

00407BD8: 68E8030000 push 0000003E8h 
00407BDD: E812FAFFFF call Sleep 

Sleep: ;this is jump on address in I AT 

004075F4: FF25BCA14000 jmp dword ptr [00040AlBCh] 

original table: 

0040A1BC: 79 67 E8 77 00 00 00 00 
new table : 

0040A1BC: 78 56 34 12 00 00 00 00 
So the final jump is to 0x12345678. 

2) Own process hooking using entry point rewriting: The method of rewriting first few instructions on the function 
entry point is realy simple. As in the case of rewritng address in IAT we have to change a page protection at first. 
Here it will be first 5 bytes of the given function which we want to hook. For later usage we will use dynamical 
alocation of MEMORY_BAS I C_I NFORMAT I ON structure. The beginning of the function is get by GetProcAddress 
again. On this address we will insert relative jump to our code. Following program calls Sleep(5000) (so it will 
wait for 5 seconds), than the Sleep functions is hooked and redirected to new_sleep, finally it calls Sleep(5000) 
again. Because new function new_sleep does nothing and returns immediately the whole program will take only 
5 in place of 10 seconds. 
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.386p 

.model flat, stdcall 

includelib lib\kernel32 . lib 
Sleep PROTO : DWORD 
GetModuleHandleA PROTO : DWORD 
GetProcAddress PROTO : DWORD, : DWORD 
VirtualQuery PROTO : DWORD, : DWORD, : DWORD 
VirtualProtect PROTO : DWORD, : DWORD, : DWORD, : DWORD 
VirtualAlloc PROTO :DWORD, :DWORD, :DWORD, : DWORD 
VirtualFree PROTO : DWORD, : DWORD, : DWORD 
FlushlnstructionCache PROTO :DWORD, :DWORD, : DWORD 
GetCurrentProcess PROTO 
ExitProcess PROTO : DWORD 



. data 

kernel_name db "kernel32 . dll " , 0 
sleep_name db "Sleep", 0 
old_protect dd ? 

MEMORY_BAS I C_I NFORMAT I ON_S I Z E equ 2 8 

PAGE_READWR I TE dd 000000004h 
PAGE_EXECUTE_READWRITE dd 000000040h 
MEM_COMMIT dd 00000100 Oh 
MEM RELEASE dd 000008000h 



. code 
start : 
push 5000 
call Sleep 

do_hook : 
push offset kernel_name 
call GetModuleHandleA 
push offset sleep_name 
push eax 

call GetProcAddress 

mov edi,eax ; finally got Sleep address 

push PAGE_READWRITE 
push MEM_COMMIT 

push MEMORY_BAS I C_INFORMATION_S I ZE 
push 0 

call VirtualAlloc 
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test eax, eax 
jz do_sleep 

mov esi,eax ;alocation for MB I 

push MEMORY_BAS I C_INFORMATION_S I ZE 
push esi 
push edi 

call VirtualQuery ;inforamtion about the memory page 
test eax,eax 
j z f ree_mem 

call GetCurrentProcess 
push 5 
push edi 
push eax 

call FlushlnstructionCache ;just to be sure :) 

lea eax, [esi+014h] 
push eax 

push PAGE_EXE CUTE_RE ADWR I TE 
lea eax, [esi+OOCh] 
push [eax] 
push [esi] 

call VirtualProtect ;we will change protection for a moment 

;so we will be able to write there 
test eax, eax 
j z f ree_mem 

mov byte ptr [edi] , 0E9h ;to write relative jump 
mov eax, offset new_sleep 
sub eax, edi 
sub eax, 5 
inc edi 

stosd ;this is relative address for jump 

push offset old_protect 

lea eax, [esi+014h] 

push [eax] 

lea eax, [esi+OOCh] 

push [eax] 

push [esi] 

call VirtualProtect ; return back the protection of page 

f ree_mem : 
push MEM_RELEASE 
push 0 
push esi 

call VirtualFree ; f ree memory 
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do_sleep : 
push 5000 
call Sleep 
push 0 

call ExitProcess 

new_sleep : 
ret 004h 
end start 

Result of the second call Sleep is this: 

004010A4: 6888130000 push 000001388h 
004010A9: E80A000000 call Sleep 



Sleep: ;toto je jump na adresu v I AT 

004010B8: FF2514204000 jmp dword ptr [000402014h] 

tabulka : 

00402014: 79 67 E8 77 6C 7D E8 77 
Kernel32 . Sleep : 

77E86779: E937A95788 jmp 0004010B5h 
new_sleep : 

004010B5: C20400 ret 004h 

3) Original function saving: Mostly we need more than a function hook. For example in case when we don't want 
to replace the given function but only to check its result, or in case when we want to replace the function only 
sometimes e.g. when it is called with specific arguments. Good example of this is already mentioned files hiding 
done by replacing FindXXXFile functions. So if we want to hide specific files and don't want to be noticeable 
we have to leave original function for all other files without changing the functions behavior. This is simple when 
using method of rewriting IAT. For calling original function we can get its original address with GetProcAddress 
and then call it directly. But the problem occurs when using rewriting entry point method. By rewriting those 5 
bytes at the functions entry point we lost original function irrecoverably. So we need to save first instructions. We 
can use following technic. We know we will rewrite only first 5 bytes but don't know how many instructions there 
are or how long they are. We have to reserve enough memory for first instructions. 16 bytes could be enought 
because there are usually not long instructions at the begin of function. Probably we can use less then 16. Whole 
reserverd memory will be filled with 0x90 (0x90 = nop) in case there are shorter instructions. Next 5 bytes will 
be relative jump which will be filled later. 

old_hook: db 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h 
db 0 90h, 0 9 Oh, 0 90h, 0 9 Oh, 0 90h, 0 9 Oh, 0 9 Oh, 0 9 Oh 
db 0E9h, OOOh, OOOh, OOOh, OOOh 

Now we are ready to copy first instructions. It is a long stuff to get instruction length, this is why we will work 
with the complete engine. This was made by ZOMBiE. Input argument is instruction address for which we want 
to get length. Output is commonly in eax. 
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LDE32, Length-Disassembler Engine, 32-bit, 
special edition for REVERT tool 



(x) 1999-2000 ZOMBiE 



; version 1.05 

C_MEM1 

C_MEM2 

C_MEM4 

C_DATA1 

C_DATA2 

C_DATA4 

C_6 7 

C_MEM67 

C_6 6 

C_DATA6 6 
C_PREFIX 
C_MODRM 
C DATAW0 



public 
public 
public 
public 

disasm_main : 
_disasm_main : 
@disasm_main : 
DISASM MAIN: 



equ 
equ 
equ 
equ 
equ 
equ 
equ 
equ 
equ 
equ 
equ 
equ 
equ 

p386 
model 
locals @@ 

. code 

disasm_main 
_disasm_main 
@disasm_main 
DISASM MAIN 



OOOlh 
0002h 
0004h 
OlOOh 
0200h 
0400h 
OOlOh 
0020h 
lOOOh 
2000h 
0008h 
4000h 
8000h 



flat 



may be used simultaneously 



may be used simultaneously 



used with C_PREFIX 

C_67 ? C_MEM2 : C_MEM4 

used with C_PREFIX 

C_66 ? C_DATA2 : C_DATA4 

prefix, take opcode again 

MODxxxR/M 

opc&l ? C_DATA66 : C_DATA1 



; returns opcode length in EAX or -1 if error 
; input : pointer to opcode 



_f astcall 
cdecl 



EAX 

[ESP+4] 



;this is my first change here, it's the label only for calling this function 
get_instr_len : 

mov ecx, [esp+4] ; ECX = opcode ptr 

xor edx, edx ; flags 
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xor 



eax, eax 



@@pref ix : 



and 



dl, not C PREFIX 



mov 
inc 



al, [ecx] 
ecx 



or 



edx, table 1 [eax*4] 



test dl, C_PREFIX 
jnz ©©prefix 



cmp 
je 
cmp 
je 



al, 0F6h 
©©test 
al, 0F7h 
©©test 



cmp 
je 



al, OCDh 
@@int 



@@cont 



©©datawOdone : 



©©exitmodrm : 



@@mem67done : 



@@data6 6done : 



cmp al, OFh 

je @@0F 

test dh, C_DATAW0 shr 8 

jnz ©©datawO 

test dh, C_MODRM shr 8 

jnz ©©rnodrrn 

test dl, CJYIEM6 7 

jnz @@mem67 

test dh, C_DATA66 shr 8 

jnz @@data6 6 

mov eax, ecx 

sub eax, [esp+4] 



and edx, C_MEM1+C_MEM2+C_MEM4+C_DATA1+C_DATA2+C_DATA4 

add al, dl 

add al, dh 

;my second change heer, there was retn only in original version 
©©exit: ret 00004h 



©©test 



or dh, C_MODRM shr 8 

test byte ptr [ecx] , 00111000b 

jnz @@cont 



F6/F7 -- test 
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or dh, C_DATAW0 shr 8 

jmp @@cont 



@@int : 



or dh, C_DATA1 shr 8 

cmp byte ptr [ecx] , 20h 

jne @@cont 

or dh, C_DATA4 shr 8 

jmp @@cont 



@@0F : 



mov al, [ecx] 

inc ecx 

or edx, table 0F[eax*4] 



cmp 
jne 



edx, -1 
@@cont 



@@error : 



mov 
jmp 



eax, edx 
@@exit 



©OdatawO 



xor dh, C_DATA66 shr 8 

test al, 00000001b 

jnz ©OdatawOdone 

xor dh, (C_DATA6 6+C_DATA1) shr 

jmp ©OdatawOdone 



@@mem67 : 



xor dl , C_MEM2 

test dl, C_67 

jnz @@mem67done 

xor dl, C_MEM4+C_MEM2 

jmp @@mem67done 



@@data6 6 



xor dh, C_DATA2 shr 8 

test dh, C_66 shr 8 

jnz @@data66done 

xor dh, (C_DATA4+C_DATA2) shr 

jmp @@data66done 



@@modrm : 



mov 
inc 



al, [ecx] 
ecx 



mov 



ah, al ; ah=mod, al=rm 



and ax, 0C007h 

cmp ah, OCOh 

je @@exitmodrm 



test 
jnz 



dl, C_67 
@@modrml6 
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@@modrm32 



cmp 
jne 

mov 
inc 
and 



al, 04h 

@@a 

al, [ecx] 
ecx 

al, 07h 



sib 



@@a : 



@@mem4 



@@meml 



@@modrml6 



@@mem2 



cmp 
je 
cmp 
je 

cmp 
jne 

or 
jmp 

or 
jmp 

cmp 

je 

cmp 

je 

cmp 

jne 

or 
jmp 

endp 

. data 



ah, 40h 
@@meml 
ah, 80h 
@@mem4 

ax, 0 0 05h 
@@exitmodrm 

dl , C_MEM4 
@@exitmodrm 

dl , C_MEM1 
©Oexitmodrm 

ax, 0006h 
@@mem2 
ah, 40h 
@@meml 
ah, 80h 
@@exitmodrm 

dl , C_MEM2 
©Oexitmodrm 



OF 

F6 , F7 
CD 



analyzed in code, no flags (i.e. flags must be 0) 
--//-- (ttt=000 -- 3 bytes, otherwise 2 bytes) 
--//-- (6 bytes if CD 20, 2 bytes otherwise) 



table 1 



label 



dword 



normal instructions 



dd 
dd 
dd 
dd 
dd 
dd 



C_MODRM 

C_MODRM 

C_MODRM 

C_MODRM 

C_DATAW0 

C DATAWO 



00 
01 
02 
03 
04 
05 
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dd 0 ; 06 

dd 0 ; 07 

dd C_MODRM ; 0 8 

dd C_MODRM ; 0 9 

dd C_MODRM ; OA 

dd C_MODRM ; 0B 

dd C_DATAW0 ; 0C 

dd C_DATAW0 ; OD 

dd 0 ; OE 

dd 0 ; OF 

dd C_MODRM ; 10 

dd C_MODRM ; 11 

dd C_MODRM ; 12 

dd C_MODRM ; 13 

dd C_DATAW0 ; 14 

dd C_DATAW0 ; 15 

dd 0 ; 16 

dd 0 ; 17 

dd C_MODRM ; 18 

dd C_MODRM ; 19 

dd C_MODRM ; 1A 

dd C_MODRM ; IB 

dd C_DATAW0 ; 1C 

dd C_DATAW0 ; ID 

dd 0 ; IE 

dd 0 ; IF 

dd C_MODRM ; 2 0 

dd C_MODRM ; 21 

dd C_MODRM ; 22 

dd C_MODRM ; 2 3 

dd C_DATAW0 ; 24 

dd C_DATAW0 ; 2 5 

dd C_PREFIX ; 2 6 

dd 0 ; 27 

dd C_MODRM ; 2 8 

dd C_MODRM ; 2 9 

dd C_MODRM ; 2A 

dd C_MODRM ; 2B 

dd C_DATAW0 ; 2C 

dd C_DATAW0 ; 2D 

dd C_PREFIX ; 2E 

dd 0 ; 2F 

dd C_MODRM ; 3 0 

dd C_MODRM ; 31 

dd C_MODRM ; 32 

dd C_MODRM ; 3 3 

dd C_DATAW0 ; 34 

dd C DATAWO ; 3 5 
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ad 


C PREFIX 


36 


ad 


0 


37 


dd 


C MODRM 


3 8 


dd 


C MODRM 


3 9 


dd 


C MODRM 


3A 


dd 


C MODRM 


3B 


dd 


C DAT AW 0 


3C 


dd 


C DAT AW 0 


3D 


dd 


/ * -T—S T , 1 1 T 1 — 1 — "T T 

C PREFIX 


3E 


dd 


0 


3F 


dd 


0 


4 0 


dd 


0 


4 1 


dd 


0 


42 


dd 


0 


43 


dd 


0 


44 


dd 


0 


45 


dd 


0 


46 


dd 


0 


4 7 


dd 


0 


4 8 


dd 


0 


49 


dd 


0 


4A 


dd 


0 


4B 


dd 


0 


4C 


dd 


0 


4D 


dd 


0 


4E 


dd 


0 


4F 


dd 


0 


50 


dd 


0 


51 


dd 


0 


52 


dd 


0 


53 


dd 


0 


54 


dd 


0 


55 


dd 


0 


56 


dd 


0 


57 


dd 


0 


58 


dd 


0 


59 


dd 


0 


5A 


dd 


0 


5B 


dd 


0 


5C 


dd 


0 


5D 


dd 


0 


5E 


dd 


0 


5F 


dd 


0 


60 


dd 


0 


61 


dd 


C_MODRM 


62 


dd 


C_MODRM 


63 


dd 


C_PREFIX 


64 


dd 


C PREFIX 


65 
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dd C_PREFIX+C_66 ; 66 

dd C_PREFIX+C_6 7 ; 67 

dd C_DATA66 ; 6 8 

dd C_MODRM+C_DATA66 ; 6 9 

dd C_DATA1 ; 6A 

dd C_MODRM+C_DATAl ; 6B 

dd 0 ; 6C 

dd 0 ; 6D 

dd 0 ; 6E 

dd 0 ; 6F 

dd C_DATA1 ; 7 0 

dd C_DATA1 ; 71 

dd C_DATA1 ; 72 

dd C_DATA1 ; 7 3 

dd C_DATA1 ; 74 

dd C_DATA1 ; 7 5 

dd C_DATA1 ; 7 6 

dd C_DATA1 ; 7 7 

dd C_DATA1 ; 7 8 

dd C_DATA1 ; 7 9 

dd C_DATA1 ; 7A 

dd C_DATA1 ; 7B 

dd C_DATA1 ; 7C 

dd C_DATA1 ; 7D 

dd C_DATA1 ; 7E 

dd C_DATA1 ; 7F 

dd C_MODRM+C_DATAl ; 8 0 

dd C_MODRM+C_DATA66 ; 81 

dd C_MODRM+C_DATAl ; 82 

dd C_MODRM+C_DATAl ; 83 

dd C_MODRM ; 84 

dd C_MODRM ; 85 

dd C_MODRM ; 86 

dd C_MODRM ; 87 

dd C_MODRM ; 8 8 

dd C_MODRM ; 8 9 

dd C_MODRM ; 8A 

dd C_MODRM ; 8B 

dd C_MODRM ; 8C 

dd C_MODRM ; 8D 

dd C_MODRM ; 8E 

dd C_MODRM ; 8F 

dd 0 ; 90 

dd 0 ; 91 

dd 0 ; 92 

dd 0 ; 93 

dd 0 ; 94 

dd 0 ; 95 
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dd 0 ; 96 

dd 0 ; 97 

dd 0 ; 98 

dd 0 ; 99 

dd C_DATA66+C_MEM2 ; 9A 

dd 0 ; 9B 

dd 0 ; 9C 

dd 0 ; 9D 

dd 0 ; 9E 

dd 0 ; 9F 

dd CJYIEM6 7 ; AO 

dd C_MEM6 7 ; Al 

dd C_MEM6 7 ; A2 

dd C_MEM6 7 ; A3 

dd 0 ; A4 

dd 0 ; A5 

dd 0 ; A6 

dd 0 ; A7 

dd C_DATA1 ; A8 

dd C_DATA66 ; A9 

dd 0 ; AA 

dd 0 ; AB 

dd 0 ; AC 

dd 0 ; AD 

dd 0 ; AE 

dd 0 ; AF 

dd C_DATA1 ; BO 

dd C_DATA1 ; Bl 

dd C_DATA1 ; B2 

dd C_DATA1 ; B3 

dd C_DATA1 ; B4 

dd C_DATA1 ; B5 

dd C_DATA1 ; B6 

dd C_DATA1 ; B7 

dd C_DATA66 ; B8 

dd C_DATA66 ; B9 

dd C_DATA66 ; BA 

dd C_DATA66 ; BB 

dd C_DATA66 ; BC 

dd C_DATA66 ; BD 

dd C_DATA66 ; BE 

dd C_DATA66 ; BF 

dd C_MODRM+C_DATAl ; CO 

dd C_M0DRM+C_DATA1 ; CI 

dd C_DATA2 ; C2 

dd 0 ; C3 

dd C_MODRM ; C4 

dd C MODRM ; C5 
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dd C_MODRM+C_DATAl ; C6 

dd C_MODRM+C_DATA66 ; C7 

dd C_DATA2+C_DATA1 ; C8 

dd 0 ; C9 

dd C_DATA2 ; CA 

dd 0 ; CB 

dd 0 ; CC 

dd 0 ; CD 

dd 0 ; CE 

dd 0 ; CF 

dd C_MODRM ; DO 

dd C_MODRM ; Dl 

dd C_MODRM ; D2 

dd C_MODRM ; D3 

dd C_DATA1 ; D4 

dd C_DATA1 ; D5 

dd 0 ; D6 

dd 0 ; D7 

dd C_MODRM ; D8 

dd C_MODRM ; D9 

dd C_MODRM ; DA 

dd C_MODRM ; DB 

dd C_MODRM ; DC 

dd C_MODRM ; DD 

dd C_MODRM ; DE 

dd C_MODRM ; DF 

dd C_DATA1 ; E0 

dd C_DATA1 ; El 

dd C_DATA1 ; E2 

dd C_DATA1 ; E3 

dd C_DATA1 ; E4 

dd C_DATA1 ; E5 

dd C_DATA1 ; E6 

dd C_DATA1 ; E7 

dd C_DATA66 ; E8 

dd C_DATA66 ; E9 

dd C_DATA66+C_MEM2 ; EA 

dd C_DATA1 ; EB 

dd 0 ; EC 

dd 0 ; ED 

dd 0 ; EE 

dd 0 ; EF 

dd C_PREFIX ; F0 

dd 0 ; Fl 

dd C_PREFIX ; F2 

dd C_PREFIX ; F3 

dd 0 ; F4 

dd 0 ; F5 
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dd 0 ; F6 

dd 0 ; F7 

dd 0 ; F8 

dd 0 ; F9 

dd 0 ; FA 

dd 0 ; FB 

dd 0 ; FC 

dd 0 ; FD 

dd C_MODRM ; FE 

dd C_MODRM ; FF 

table_0F label dword ; OF-prefixed instructions 

dd C_MODRM ; 0 0 

dd C_MODRM ; 01 

dd C_MODRM ; 02 

dd C_MODRM ; 03 

dd -1 ; 04 

dd -1 ; 05 

dd 0 ; 06 

dd -1 ; 07 

dd 0 ; 0 8 

dd 0 ; 09 

dd 0 ; OA 

dd 0 ; 0B 

dd -1 ; 0C 

dd -1 ; 0D 

dd -1 ; OE 

dd -1 ; OF 

dd -1 ; 10 

dd -1 ; 11 

dd -1 ; 12 

dd -1 ; 13 

dd -1 ; 14 

dd -1 ; 15 

dd -1 ; 16 

dd -1 ; 17 

dd -1 ; 18 

dd -1 ; 19 

dd -1 ; 1A 

dd -1 ; IB 

dd -1 ; 1C 

dd -1 ; ID 

dd -1 ; IE 

dd -1 ; IF 

dd -1 ; 20 

dd -1 ; 21 

dd -1 ; 22 
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dd 


- 1 


23 


dd 


- 1 


24 


dd 


- 1 


25 


dd 


- 1 


26 


dd 


- 1 


27 


dd 


- 1 


28 


dd 


- 1 


2 9 


dd 


- 1 


2A 


dd 


- 1 


2B 


dd 


- 1 


2C 


dd 


- 1 


2D 


dd 


- 1 


2E 


dd 


- 1 


2F 


dd 


- 1 


3 0 


dd 


- 1 


3 1 


dd 


- 1 


32 


dd 


- 1 


33 


dd 


- 1 


34 


dd 


- 1 


35 


dd 


- 1 


36 


dd 


- 1 


37 


dd 


- 1 


3 8 


dd 


- 1 


3 9 


dd 


- 1 


3A 


dd 


- 1 


3B 


dd 


- 1 


3C 


dd 


- 1 


3D 


dd 


- 1 


3E 


dd 


- 1 


3F 


dd 


- 1 


4 0 


dd 


- 1 


4 1 


dd 


- 1 


42 


dd 


- 1 


43 


dd 


- 1 


44 


dd 


- 1 


45 


dd 


- 1 


46 


dd 


- 1 


47 


dd 


- 1 


4 8 


dd 


- 1 


4 9 


dd 


- 1 


4A 


dd 


- 1 


4B 


dd 


- 1 


4C 


dd 


- 1 


4D 


dd 


- 1 


4E 


dd 


-1 


4F 


dd 


-1 


50 


dd 


-1 


51 


dd 


-1 


52 
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dd 


- 1 


53 


dd 


- 1 


54 


dd 


- 1 


55 


dd 


- 1 


56 


dd 


- 1 


57 


dd 


- 1 


58 


dd 


- 1 


59 


dd 


- 1 


5A 


dd 


- 1 


5B 


dd 


- 1 


5C 


dd 


- 1 


5D 


dd 


- 1 


5E 


dd 


- 1 


5F 


dd 


- 1 


60 


dd 


- 1 


61 


dd 


- 1 


62 


dd 


- 1 


63 


dd 


- 1 


64 


dd 


- 1 


65 


dd 


- 1 


66 


dd 


- 1 


67 


dd 


- 1 


68 


dd 


- 1 


69 


dd 


- 1 


6A 


dd 


- 1 


6B 


dd 


- 1 


6C 


dd 


- 1 


6D 


dd 


- 1 


6E 


dd 


- 1 


6F 


dd 


- 1 


70 


dd 


- 1 


71 


dd 


- 1 


72 


dd 


- 1 


73 


dd 


- 1 


74 


dd 


- 1 


75 


dd 


- 1 


76 


dd 


- 1 


77 


dd 


- 1 


78 


dd 


- 1 


79 


dd 


- 1 


7A 


dd 


- 1 


7B 


dd 


- 1 


7C 


dd 


- 1 


7D 


dd 


-1 


7E 


dd 


-1 


7F 


dd 


C_DATA66 


80 


dd 


C_DATA66 


81 


dd 


C DATA 6 6 


82 
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dd C_DATA66 ; 83 

dd C_DATA66 ; 84 

dd C_DATA66 ; 85 

dd C_DATA66 ; 86 

dd C_DATA66 ; 87 

dd C_DATA66 ; 88 

dd C_DATA66 ; 8 9 

dd C_DATA66 ; 8A 

dd C_DATA66 ; 8B 

dd C_DATA66 ; 8C 

dd C_DATA66 ; 8D 

dd C_DATA66 ; 8E 

dd C_DATA66 ; 8F 

dd C_MODRM ; 9 0 

dd C_MODRM ; 91 

dd C_MODRM ; 92 

dd C_MODRM ; 93 

dd C_MODRM ; 94 

dd C_MODRM ; 95 

dd C_MODRM ; 96 

dd C_MODRM ; 97 

dd C_MODRM ; 9 8 

dd C_MODRM ; 9 9 

dd C_MODRM ; 9A 

dd C_MODRM ; 9B 

dd C_MODRM ; 9C 

dd C_MODRM ; 9D 

dd C_MODRM ; 9E 

dd C_MODRM ; 9F 

dd 0 ; AO 

dd 0 ; Al 

dd 0 ; A2 

dd C_MODRM ; A3 

dd C_MODRM+C_DATAl ; A4 

dd C_MODRM ; A5 

dd -1 ; A6 

dd -1 ; A7 

dd 0 ; A8 

dd 0 ; A9 

dd 0 ; AA 

dd C_MODRM ; AB 

dd C_MODRM+C_DATAl ; AC 

dd C_MODRM ; AD 

dd -1 ; AE 

dd C_MODRM ; AF 

dd C_MODRM ; BO 

dd C_MODRM ; Bl 

dd C MODRM ; B2 
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dd C_MODRM ; B3 

dd C_MODRM ; B4 

dd C_MODRM ; B5 

dd C_MODRM ; B6 

dd C_MODRM ; B7 

dd -1 ; B8 

dd -1 ; B9 

dd C_MODRM+C_DATAl ; BA 

dd C_MODRM ; BB 

dd C_MODRM ; BC 

dd C_MODRM ; BD 

dd C_MODRM ; BE 

dd C_MODRM ; BF 

dd C_MODRM ; CO 

dd C_MODRM ; CI 

dd -1 ; C2 

dd -1 ; C3 

dd -1 ; C4 

dd -1 ; C5 

dd -1 ; C6 

dd -1 ; C7 

dd 0 ; C8 

dd 0 ; C9 

dd 0 ; CA 

dd 0 ; CB 

dd 0 ; CC 

dd 0 ; CD 

dd 0 ; CE 

dd 0 ; CF 

dd -1 ; DO 

dd -1 ; Dl 

dd -1 ; D2 

dd -1 ; D3 

dd -1 ; D4 

dd -1 ; D5 

dd -1 ; D6 

dd -1 ; D7 

dd -1 ; D8 

dd -1 ; D9 

dd -1 ; DA 

dd -1 ; DB 

dd -1 ; DC 

dd -1 ; DD 

dd -1 ; DE 

dd -1 ; DF 

dd -1 ; E0 

dd -1 ; El 

dd -1 ; E2 
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dd 


- 1 


E3 


dd 


- 1 


E4 


dd 


- 1 


E5 


dd 


- 1 


E6 


dd 


- 1 


E7 


dd 


- 1 


E8 


dd 


- 1 


E9 


dd 


- 1 


EA 


dd 


- 1 


EB 


dd 


- 1 


EC 


dd 


- 1 


ED 


dd 


- 1 


EE 


dd 


- 1 


EF 


dd 


- 1 


FO 


dd 


- 1 


Fl 


dd 


- 1 


F2 


dd 


- 1 


F3 


dd 


- 1 


F4 


dd 


- 1 


F5 


dd 


- 1 


F6 


dd 


- 1 


F7 


dd 


- 1 


F8 


dd 


- 1 


F9 


dd 


- 1 


FA 


dd 


- 1 


FB 


dd 


-1 


FC 


dd 


-1 


FD 


dd 


-1 


FE 


dd 


-1 


FF 



end 
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Now we are able to get instruction length on arbitrary address. We will repeat this call until 5 bytes are read. After 
this we will copy these bytes to old_hook. We know how long are first instructions, so we can fill out the relative 
jump address on the next instruction in original function. 

.386p 

.model flat, stdcall 



. data 

kernel_name db "kernel32 . dll " , 0 
sleep_name db "Sleep", 0 



MEM_RE LE AS E dd 00000800 0b. 

;16 nops + one relative jump 
old_sleep db 090h, 090h, 090h, 090h, 090h, 090h, 090h, 090h, 
0 90h, 0 9 Oh, 0 90h, 0 9 Oh, 0 90h, 0 9 Oh, 0 9 Oh, 0 9 Oh, 
0E9h, 0 0 Oh, 0 0 Oh, 0 0 Oh, 0 0 Oh 



. code 
start : 
push 5000 
call Sleep 

do_hook : 
push offset kernel_name 
call GetModuleHandleA 
push offset sleep_name 
push eax 

call GetProcAddress 

push eax 
mov esi,eax 

xor ecx,ecx 
mov ebx,esi 

get_f ive_bytes : 
push ecx 
push ebx 

call get_instr_len /calling LDE32 
pop ecx 
add ecx, eax 
add ebx, eax 
cmp ecx, 5 
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jb get_f ive_bytes 

mov edi, offset old_sleep ; counting relative jump address 

mov [edi+Ollh] , ebx 

sub [edi+Ollh] , edi 

sub dword ptr [edi+Ollh] , 015h 

rep movsb 

pop edi 

,-following code was above, so without comments 



push PAGE_READWRITE 
push MEM_COMMIT 

push MEMORY_BASIC_INFORMATION_SIZE 
push 0 

call VirtualAlloc 
test eax,eax 
jz do_sleep 
mov esi,eax 



push MEMORY_BAS I C_INFORMATION_S I ZE 
push esi 
push edi 

call VirtualQuery 
test eax,eax 
j z f ree_mem 

call GetCurrentProcess 
push 5 
push edi 
push eax 

call FlushlnstructionCache 



lea eax, [esi+014h] 
push eax 

push PAGE_EXE CUTE_RE ADWR I TE 

lea eax, [esi+OOCh] 

push [eax] 

push [esi] 

call VirtualProtect 

test eax, eax 

j z f ree_mem 

mov byte ptr [edi] , 0E9h 

mov eax, offset new_sleep 

sub eax, edi 

sub eax, 5 

inc edi 

stosd 
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push offset old_protect 

lea eax, [esi+014h] 

push [eax] 

lea eax, [esi+OOCh] 

push [eax] 

push [esi] 

call VirtualProtect 



f ree_mem : 
push MEM_RELEASE 
push 0 
push esi 

call VirtualFree 

do_sleep : 
push 5000 
call Sleep 
push 0 

call ExitProcess 

new_sleep : 
mov eax,dword ptr [esp+004h] 
add eax, eax /doubling timeout 
push eax 

mov eax, offset old_sleep 
call eax 
ret 004h 



,-calling old function 



After the hook it will look like this: 

004010CC: 6888130000 push 000001388h 
004010D1: E818090000 call Sleep 



Sleep: ,-this is jump on address in I AT 

004019EE: FF2514204000 jmp dword ptr [000402014h] 

tabulka : 

00402014: 79 67 E8 77 6C 7D E8 77 
Kernel32 . Sleep : 

77E86779: E95FA95788 jmp 0004010DDh 



new_sleep : 

004010DD 

004010E1 

004010E3 

004010E4 

004010E9 



8B442404 mov eax, dword ptr [esp+4] 
03C0 add eax, eax 
50 push eax 

B827304000 mov eax, 000403027h 
FFD0 call eax 
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old_sleep 

00403027 

00403029 

0040302D 

0040302E 

0040302F 

00403030 

00403031 

00403032 

00403033 

00403034 

00403035 

00403036 

00403037 



6A0 0 push 0 

FF742408 push dword ptr [esp+8] 

90 nop 

90 nop 

90 nop 

90 nop 

90 nop 

90 nop 

90 nop 

90 nop 

90 nop 

90 nop 

E94337A877 jmp Kernel32 . 77E8677F 



;this instruction is placed 1 byte after first instruction at Kernel32 . Sleep 
(77E86779) 

Kernel32 . 77E8677F: 

77E8677F: E803000000 call Kernel32 . SleepEx 
... /following is unimportant 

To make this clearer, this is how the original version of Kernel32. Sleep looks: 



Kernel32 . Sleep : 



77E86779 
77E8677B 
77E8677F 
77E86784 



6A0 0 push 0 

FF742408 push dword ptr [esp+8] 
E803000000 call Kernel32 . SleepEx 
C20400 ret 00004h 



As you can see we copied first and second instruction (it was 6 bytes here) and the relative jump pointed on the 
next instruction and that is how it should be. We have to supposed here that relative jumps are not placed as the first 
bytes of functions. If there would be we've got a problem. Next problem is with APIs like ntdll.DbgBreakPoint. 
These are too short for this method of hooking. And forasmuch as it is called by Kernel32.DebugBreak, it is 
not hookable by changing IAT But who want to hook function which does only the int 3 call? But nothing is 
impossible. You can think about it and you can find how to solve this. As I was thinking about this you can hook 
the following function after this one (it would be damaged by rewritng first 5 bytes of the previous function). 
Function DbgBreakPoint is 2 bytes long, so we can set some flags here and try to write conditional jump on the 
begining of the second function ... But this is not our problem now. With the problem of saving original function 
relates then unhooking. Unhooking is changing replaces bytes back to the original state. When rewriting IAT you 
will have to return original address to the table if you want to do unhooking. When using the five byte patch you 
will have to copy first original instructions back. Both ways are realy simple and no need to write more about this. 

4) Other process hooking: Now we will do something practical with hooking during running. Who want to deal 
with hooking own process? That is good only for learning basics but it is not much practical. I'll show you three 
methods of other process hooking. Two of them use API CreateRemoteThread which is only in Windows with NT 
technology. The problem of hooking is not so interesing for older windows version for me. After all I will try to 
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explain third method which I didn't practise, so it could be unfunctional. At first few about CreateRemoteThread. 
As the help says this function creates new thread in any process and runs its code. 

HANDLE CreateRemoteThread ( 
HANDLE hProcess, 

L P S E CUR I T Y_ATTR I BUTE S lpThreadAttributes , 
DWORD dwStackSize, 

L PTHREAD_S TART_ROUT INE IpStartAddress , 
LPVOID lpParameter, 
DWORD dwCreationFlags , 
LPDWORD lpThreadld 
) ; 

The handle hProcess can be get by OpenProcess. Here we have to have necessary rights. The pointer IpStartAddress 
points on memory place in TARGET process where the first instruction for new thread is. Because new thread is 
created in target process it is in memory of target process. The pointer lpParameter points on argument which will 
be refered to the new thread. 

a) DLL Injection: We are able to run new thread from any place in target process memory. This is useless unless we 
have own code in it. The first method cheats on this. It uses GetProcAddress to get actual address for LoadLibrary. 
Then routes IpStartAddress to the address of LoadLibrary. Function LoadLibary has only one parameter like the 
function for new thread in target process. 

HINSTANCE LoadLibrary ( 
LPCTSTR lpLibFileName 
) ; 

We will use this similarity and we will refer the name of our DLL library as lpParameter. After running new thread 
lpParameter will be on a place of lpLibFileName. The most important thing here is behavior decribed above. After 
loading new module into target process memory the initialization part is executed. If we place specific functions 
which will hook functions we want to we will win this stuff. After execution of initialization part, the thread will 
have nothing to do and close but our module is still in memory. This method is realy nice and easy to implement. 
This is called DLL Injection. But if you are like I am, you don't like must of having DLL library. But if one 
doesn't care about having this library it is the easiest and the fastest method (from the programmers sight). 

b) Independent code: Going on the way of independent code is very difficult but also very impressive thing. 
Independent code is the code without any statical addresses. Everything is relative in it towards some specific place 
in itself. This code is mostly done if we don't know the address where this code will be executed. Sure, it is 
possible to get this address and then to relink our code so as it will behave on the new address without errors 
but this is even harder than coding independent code. Example of this kind of code can be the virus code. The 
virus which infects executables in the way it adds itself somewhere into this executable. In different executables 
will be the virus code on different places depended e.g. on file structure on length. At first we have to insert our 
code into target process. Then function CreateRemoteThread will take care of running our code. So, at first we 
have to get some information about target process and get handle with OpenProcess. Then VirtualAllocEx will 
alloc some space in remote process memory for our code. Finally we will use WriteProcessMemory to write our 
code on allocated memory and run it. In CreateRemoteThread IpStartAddress will refer to allocated memory and 
lpParameter can be whatever we want. Because I realy don't like any unnecesarry files I use this method. 
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c) Raw change: There is not CreateRemoteThread in older windows version (without NT). So we can't use this for 
hooking. There are probably other and better methods how to hook than the method I will talk about now. In fact I 
don't know if this will work in practice (one never know when use Windows) but theoretically is everything ok. We 
don't need to have our code in target process to hook its functions at all. We have function WriteProcessMemory 
(this should be in all Windows version) and we have OpenProcess, too. Last thing we need is VirtualProtectEx 
which can change access to memory pages in target process. I can't see any reason why not to hook target process 
functions directly from our process... 

III. Ending 

This small document ends. I will greet any extension which will describe unmentionde methods of hook, I am sure 
there are a lot of them. I will also greet any extensions in the parts which were not described so intimately. You 
can also send me some source codes if they are fecund for the problem of hooking e.g. for parts where I was lazy 
to write the code. The goal of this document is to show deatails of every technics of hooking. I hope I've done the 
part of this. Special thanks to ZOMBiE for his work, so I haven't to code it myself and spend ages by studying 
tables for getting instruction length. 
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